PLUTO-44 Defense-in-depth: render-path requireCapForAction throw should render graceful acceso-denegado, not 500 + admin error-email storm (generic error-boundary / convert render-path cap checks to redirect variant). Surfaced by PLUTO-43 (dead-fetch was the trigger; this guards the class).

PLUTO-44 · pluto

Defense-in-depth: render-path requireCapForAction throw should render graceful acceso-denegado, not 500 + admin error-email storm (generic error-boundary / convert render-path cap checks to redirect variant). Surfaced by PLUTO-43 (dead-fetch was the trigger; this guards the class).

No sub-items.

No questions.

2026-06-12T01:54:26.940Z · created · wi-cli-venus
2026-06-12T01:56:10.668Z · note · wi-cli-venus

Scoping nuance from audit-pluto (PLUTO-43 concurrence): a direct grep for render-path THROWING guard imports comes back ~empty and is MISLEADING. The real risk class is a render/page awaiting an ACTION that INTERNALLY throws a cap-guard (withCap/requireCapForAction) — exactly the PLUTO-43 dead-fetch bug. PLUTO-44 sweep must trace render-path call sites for imported server actions that wrap withCap/requireCapForAction, NOT direct guard imports. Fix shape: render-path cap-throw -> graceful acceso-denegado, not 500+admin-email.